Azure API Management Client credential manager - OAuth2 - Client credentail flow : Missing scope field

Torsten Rinke 5

Hello,

the Azure API Management Client credential manager is currently missing the scope field for the generic OAuth2 identity provider and client credentail flow. This causes issues for all identity provider which require scope. In our particular use case we want to get an access token from Okta without defining default scopes on Okta side.

Does anybody know a workaround or product timeline when this field is added?

Best regards,

Torsten

JananiRamesh-MSFT 27,836 Reputation points

2024-07-22T17:13:09.6133333+00:00

@Torsten Rinke Thanks for reaching out. I am looking into this will get back to you shortly.
JananiRamesh-MSFT 27,836 Reputation points

2024-07-24T03:43:45.82+00:00

@Torsten Rinke Thanks for your patience! For a workaround, you can still specify scopes in a Create Authorization Provider REST request: Authorization Provider - Create Or Update - REST API (Azure API Management) | Microsoft Learn

checking internally with our product group team for timeline when this field is added in Portal UI

do let me know incase of further queries, I would be happy to assist you.
Torsten Rinke 5 Reputation points

2024-07-24T09:58:57.38+00:00

Hello,

thank you for your quick investigation. I have followed the documentation and figured out that no scopes are stored when a new authentication provider for generic oaut2 and clientCredential grant type is created. Scope is not returned in the response body and creating a connection fails with message from the identity provider (Okta) that the scope is missing.

To double check i have created an authentication provider for generic oaut2 and authorizationCode grant type. Here scopes are returned in the response body.

So I assume that scopes are not supported in general for for generic oaut2 and clientCredential grant type. It is not just a portal issue.

Best regards,

Torsten

3 answers

JananiRamesh-MSFT 27,836 Reputation points

2024-07-25T04:08:16.0266667+00:00

@Torsten Rinke Thanks for getting back, I had a discussion internally and confirmed that the scope parameter is generally not used for the client credentials flow, as the credentials themselves give access to the resource and relying on the scope to limit access, given that the scope is provided by the same client that provides the credentials, is not secure.

In the client credentials flow, the client application is authenticated using its client ID and client secret, and the access token is issued based on the permissions granted to the client application. The scope parameter is not used in this flow, as the client application is already authorized to access the resource.

do let me know incase of further queries, I would be happy to assist you.
Please sign in to rate this answer.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Torsten Rinke 5 Reputation points

2024-07-25T08:08:38.8866667+00:00

Hello,

thank you for your reply. But I have to disagree with your view. The scope parameter is part of the specification which is referenced by Microsoft as well.https://datatracker.ietf.org/doc/html/rfc6749#section-4.4

Requests to the toke endpoint https://login.microsoftonline.com/<your subscription id>/oauth2/v2.0/token without scope parameter return something like:

{"error":"invalid_request","error_description":"AADSTS90014: The required field 'scope' is missing

from the credential. Ensure that you have all the necessary parameters for the login request. Trace ID: 559a7819-e9c7-43f4-bd67-d30652929a00 Correlation ID: 4d85cdb1-b354-44e7-ba36-ad0c9002dd21 Timestamp: 2024-07-25 07:01:46Z","error_codes":[90014],"timestamp":"2024-07-25 07:01:46Z","trace_id":"559a7819-e9c7-43f4-bd67-d30652929a00","correlation_id":"4d85cdb1-b354-44e7-ba36-ad0c9002dd21","error_uri":"https://login.microsoftonline.com/error?code=90014"}

This in in line with the behaviour described in https://datatracker.ietf.org/doc/html/rfc6749#section-3.3

My interpretation:

Not supporting the scope parameter for OAuth2 identity providers is a substantial restriction in Azure API Management. Basically it excludes use cases which require integration with other OAuth2 Identity providers.

Would you please catchup with the product devlopment team on the topic?

Best regards,

Torsten

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

JananiRamesh-MSFT 27,836 Reputation points

2024-08-02T05:56:15.3733333+00:00

@Torsten Rinke Thanks for getting back, will check with our Product group team and get back to you on this.

Meanwhile please feel free to leave your feedback at http://aka.ms/apimwish

Senthil K 0 Reputation points

2024-10-03T02:48:58.9966667+00:00

Hey @JananiRamesh-MSFT !

I am in same boat and trying to make this solution work. But stuck badly. I saw your earlier comment regarding the https://learn.microsoft.com/en-us/rest/api/apimanagement/authorization-provider/create-or-update?view=rest-apimanagement-2022-08-01&tabs=HTTP#apimanagementcreateauthorizationprovideraadclientcred

I tried that one too but it wont accept scope. I don't get any error but scope is never saved. I am stuck on this and wanted to check if there is any other alternate to get scoped updated.

Guillaume R 0 Reputation points

2024-10-23T07:44:03.4266667+00:00

Hi,

We’re having the same issue trying to use the credential manager generic oauth2 were the targeted identity providers require the scope parameter to be set for client_credentials flow.

Any idea when you will fix this issue? (I consider this an issue and not a new feature as even Microsoft EntraID is requiring scope). Without this we cannot use credential manager :(

Thanks

Torsten Rinke 5 Reputation points

2024-10-23T08:08:50.3666667+00:00

Hi Guillaume,

I solved the problem with a policy. Basically you can sent a separate request for a token to any authorization server and use the returned access token in your request to the backend

I have used snippets from https://github.com/Azure/api-management-policy-snippets/tree/master as baseline. You will see examples of policy fragments to sent the request and replace the authorization header.

Best regards,

Torsten
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

Azure API Management Client credential manager - OAuth2 - Client credentail flow : Missing scope field

3 answers

Your answer